LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fraudulent *.google.com certificate issued

Fraudulent *.google.com certificate issued

Posted Aug 30, 2011 19:59 UTC (Tue) by pabs (subscriber, #43278)
In reply to: Fraudulent *.google.com certificate issued by dkg
Parent article: Fraudulent *.google.com certificate issued

I think Moxie Marlinspike puts this the best:

http://blog.thoughtcrime.org/ssl-and-the-future-of-authen...

"So unfortunately the DNSSEC trust relationships depend on sketchy organizations and governments, just like the current CA system."

(Log in to post comments)

Marlinspike

Posted Aug 31, 2011 0:50 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

To me Marlinspike's position is silly. First of all there's his rejection of scope: to Marlinspike it is apparently inconceivable that different people are authoritative about whitehouse.gov compared to mfa.gov.cn. No, any potential authority must be all-knowing, an impossible standard which just sets them up to fail like today's CAs.

Secondly his emphasis on trust "agility" that's useless to everybody but a tiny number of nerds like Marlinspike or myself. My mother isn't going to spend hours every week reconsidering her choice of authority, she isn't even going to spend ten minutes a year. She'll accept the out of box default like every other user, the same situation (and thus the same problem) as we have now.

Finally Marlinspike's confusion between the root operators and ICANN is either ignorant (in which case who cares what somebody who doesn't know the first thing about DNS thinks?) or malicious. ICANN lacks the technical capability to do what this blog entry suggests, the KSK isn't in their possession so they simply can't create the imaginary alternate key hierarchy needed for such spoofing. Manipulating ICANN is a very different thing from going after the root operators, either in the form of the corporations and other legal entities or the actual men-with-beards who perform the public key ceremonies.

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 20:54 UTC (Thu) by job (guest, #670) [Link]

Marlinspike's reasoning is simplified to the point of being flat out wrong. I trust my TLD a whole lot more than I trust the Chinese Internet NIC, or any of the other 1500 CAs that browsers trust today.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 4:14 UTC (Tue) by clint (subscriber, #7076) [Link]

Is your TLD run by an organization not rife with incompetence, laziness, and corruption?

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 7:45 UTC (Tue) by job (guest, #670) [Link]

Absolutely. I recognize some of the technicians responsible from UNIX groups and mailing lists and I have no reason to doubt their competence.

But the point here is that I can choose which TLD I register my domains under, and trust is not implicitly delegated between them. Even if the .xxx top level domain (as a completely made up example) is run by greedy or incompetent people they can't create a mess for any one else, as opposed to the current CA model where DigiNotar can sign "CN=*.*.com".

That's is not just an implementation detail, it's a fundamental difference.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds